KVM-based Virtual Machine Instrospection.
Table of Contents
This project adds virtual machine introspection to the KVM hypervisor.
Virtual Machine Introspection is a technology that aims to understand the guest's execution context, solely based on the VM's hardware state, for various purposes:
- Malware Analysis
- Live-Memory Analysis
- OS Hardening
See the presentations section for more information.
This project is divided into 4 components:
kvm: linux kernel with vmi patches for KVM
qemu: patched to allow introspection
nitro(legacy): userland library which receives events, introspects the virtual machine state, and fills the semantic gap
libvmi: virtual machine instrospection library with unified API across
At the moment, 2 versions of VMI patches are available for
in this repository:
Follow the Setup guide
- Bringing Commercial Grade Virtual Machine Introspection to KVM
- KVM Forum 2019: Advanced VMI on KVM - A Progress Report
- Hack.lu 2019: Leveraging KVM as a Debugging Platform
- Advanced VMI on KVM: A Progress Report
The legacy VMI system contained in this repo (Nitro) is based on
Jonas Pfoh's work: